Interview Questions – Part 4

SAP Security Interview Questions

Q. What important authorization objects are required to create and maintain user master records?

Following are some important authorization objects which are required to create and maintain user master records:
S_USER_GRP: User Master Maintenance: Assign user groups
S_USER_PRO: User Master Maintenance: Assign authorization profile
S_USER_AUT: User Master Maintenance: Create and maintain authorizations

Q. Which table is used to store illegal passwords?

Table USR40 is used to store illegal passwords. It can be used to store patterns of words which cannot be used as passwords.


Q. Explain the concept of “Status Text for Authorizations” – Standard, Changed, Maintained and Manual.

  • StandardIt means that all values in authorization field of an authorization instance is unchanged from the SAP default value (i.e. the values which are getting pulled from SU24)
  • Maintained – It means that at least one of the field values in an authorization instance was blank when it was pulled from SU24 (i.e. SAP default value) and that blank field has been updated with some value. Other fields already having some value have not been touched.
  • Changed – It means that the proposed value in at least one of the fields in an authorization instance has been changed.
  • Manual – It means that at least one authorization field has been manually added, i.e. it was not proposed by profile generator.

Q. What is the difference between Role and Profile?

A Role is like a container which contains authorization objects, transaction codes etc. A profile contains authorizations. When a role is generated using PFCG, a profile is generated which contains authorizations (instances of authorization objects).


PFCG_TIME_DEPENDENCY is a report which is used for user master comparison. It should be a practice to do user master comparison after every role change and profile generation so that the user’s master record gets updated with the correct authorization. This report also cleans up the expired profiles from user-master record. Role name still remains in the SU01 tab of the user. Transaction code PFUD can also be used to directly execute this report.



SAP Security Questions -Part 5 contd..